Evolution-X-Tensor/device_google_zuma
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix permission regarding camera HAL, raidoExt and rlsservice

Browse source 
Bug: 264483024
Bug: 264489641
Bug: 263185565
Test: selinux log
Change-Id: Ieb174aef18c218efdcb357245c7d5ac4953a949c
This commit is contained in:
Xu Han 2023-01-06 10:56:20 -08:00
parent ffdcbabbab
commit b8ab0fed91
4 changed files with 32 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tracking_denials/hal_camera_default.te
View file

@ -6,5 +6,3 @@ dontaudit hal_camera_default gxp_device:chr_file { read write };
userdebug_or_eng(` userdebug_or_eng(`
permissive hal_camera_default; permissive hal_camera_default;
') ')
# b/264483024
dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find };

29
tracking_denials/rlsservice.te
View file

@ -1,29 +0,0 @@
# b/263185565
dontaudit rlsservice aoc_device:chr_file { getattr };
dontaudit rlsservice aoc_device:chr_file { open };
dontaudit rlsservice aoc_device:chr_file { read write };
dontaudit rlsservice apex_info_file:file { getattr };
dontaudit rlsservice apex_info_file:file { open };
dontaudit rlsservice apex_info_file:file { read };
dontaudit rlsservice apex_info_file:file { watch };
dontaudit rlsservice device:dir { read };
dontaudit rlsservice device:dir { watch };
dontaudit rlsservice rls_service:service_manager { add };
dontaudit rlsservice sysfs_leds:dir { search };
dontaudit rlsservice sysfs_leds:file { open };
dontaudit rlsservice sysfs_leds:file { read };
dontaudit rlsservice vendor_camera_prop:file { getattr };
dontaudit rlsservice vendor_camera_prop:file { map };
dontaudit rlsservice vendor_camera_prop:file { open };
dontaudit rlsservice vendor_camera_prop:file { read };
dontaudit rlsservice vndbinder_device:chr_file { ioctl };
dontaudit rlsservice vndbinder_device:chr_file { map };
dontaudit rlsservice vndbinder_device:chr_file { open };
dontaudit rlsservice vndbinder_device:chr_file { read };
dontaudit rlsservice vndbinder_device:chr_file { write };
dontaudit rlsservice vndservicemanager:binder { call };
dontaudit rlsservice vndservicemanager:binder { transfer };
# b/264489641
userdebug_or_eng(`
permissive rlsservice;
')

5
vendor/hal_camera_default.te vendored
View file

@ -68,8 +68,13 @@ allow hal_camera_default sysfs_leds:file r_file_perms;
# Allow camera HAL to query preferred camera frequencies from the radio HAL # Allow camera HAL to query preferred camera frequencies from the radio HAL
# extensions to avoid interference with cellular antennas. # extensions to avoid interference with cellular antennas.
allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
binder_call(hal_camera_default, hal_radioext_default); binder_call(hal_camera_default, hal_radioext_default);
# For camera hal to talk with rlsservice
allow hal_camera_default rls_service:service_manager find;
binder_call(hal_camera_default, rlsservice)
# Allow camera HAL to send trace packets to Perfetto # Allow camera HAL to send trace packets to Perfetto
userdebug_or_eng(`perfetto_producer(hal_camera_default)') userdebug_or_eng(`perfetto_producer(hal_camera_default)')

27
vendor/rlsservice.te vendored
View file

@ -2,4 +2,31 @@ type rlsservice, domain;
type rlsservice_exec, exec_type, vendor_file_type, file_type; type rlsservice_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rlsservice) init_daemon_domain(rlsservice)
vndbinder_use(rlsservice)
add_service(rlsservice, rls_service)
# access rainbow sensor calibration files
allow rlsservice persist_file:dir search;
allow rlsservice persist_camera_file:dir search;
allow rlsservice persist_camera_file:file r_file_perms;
allow rlsservice mnt_vendor_file:dir search;
# access device files
allow rlsservice rls_device:chr_file rw_file_perms;
binder_call(rlsservice, hal_camera_default)
# Allow access to display backlight information
allow rlsservice sysfs_leds:dir search;
allow rlsservice sysfs_leds:file r_file_perms;
# Allow access to always-on compute device node
allow rlsservice device:dir r_file_perms;
allow rlsservice aoc_device:chr_file rw_file_perms;
# For observing apex file changes
allow rlsservice apex_info_file:file r_file_perms;
# Allow read camera property
get_prop(rlsservice, vendor_camera_prop);